Several functions inside OpenSSL incorrectly checked the result aftercalling the EVP_VerifyFinal function, allowing a malformed signatureto be treated as a good signature rather than as an error. This issueaffected the signature checks on DSA and ECDSA keys used withSSL/TLS.

One way to exploit this flaw would be for a remote attacker who is incontrol of a malicious server or who can use a 'man in the middle'attack to present a malformed SSL/TLS signature from a certificate chainto a vulnerable client, bypassing validation.

UPDATE: The new openssl packages are included in Vector Linux Standard 6.0 rc4. For those running earlier release candidates and development code and for anyone running Vector Linux Light 6.0 beta or alpha code the new packages can be found in the packages repository.